feat(admin): inquiry inbox, send log, email-template overrides, reports dashboard, recommender keys, role-editor coverage; replace placeholder pages

Closes the bulk of audit-pass-#1 admin gaps in one batch.

New admin pages:
- /admin/inquiries reads website_submissions with filter chips for
  berth/residence/contact + payload viewer per row.
- /admin/sends reads document_sends with sent/failed filter chips and
  expandable body markdown; failures surface errorReason and any
  fallback-to-link reason from the SMTP retry.
- /admin/email-templates lets per-port admins override the subject of
  each transactional template (8 templates catalogued in
  template-catalog.ts). Body editing is a follow-on; portal_activation
  + portal_reset are wired to honor the override via loadSubjectOverride.
- /admin/reports replaces the "Coming in Layer 3" placeholder with a
  KPI dashboard: 4 KPI tiles, pipeline funnel bars, berth occupancy
  donut-bars, conversion %, refresh every 60s.
- backup/import/onboarding admin pages replace placeholders with
  actionable guidance: backup posture + planned features, available CLI
  imports + planned UI, ordered onboarding checklist linking to admin
  pages.

Existing pages widened:
- settings-manager exposes the 9 berth-recommender tunables that were
  previously code-only (recommender_*, heat_weight_*, fallthrough_*,
  tier_ladder_hide_late_stage).
- role-form covers all 19 RolePermissions schema groups; previously
  missing yachts/companies/memberships/reservations + missing
  documents.edit + files.edit checkboxes. snake_case residential
  labels replaced with friendly text.

portal-auth.service.ts now also writes audit_log rows for portal
invite, resend, activate, password-reset request, and reset (closes one
more audit-pass-#2 gap while we were touching the file).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/email/template-catalog.ts

@@ -0,0 +1,103 @@
+/**
+ * Catalog of transactional email templates that admins can customize from
+ * /admin/email-templates. v1 supports subject-line overrides only; body
+ * overrides (HTML / merge-token authoring) are a follow-on iteration.
+ *
+ * To add a template here:
+ *   1. Pick a stable `key` and add it to TEMPLATE_KEYS (used for the
+ *      `system_settings` row name).
+ *   2. List the merge tokens that the template renders so the admin
+ *      knows what placeholders are valid in any future override.
+ *   3. Provide a `defaultSubject` string identical to what the code
+ *      template emits when no override is set. Subject comparisons in
+ *      the admin UI rely on this.
+ */
+
+export const TEMPLATE_KEYS = [
+  'portal_activation',
+  'portal_reset',
+  'portal_invite_resend',
+  'crm_invite',
+  'inquiry_client_confirmation',
+  'inquiry_sales_notification',
+  'residential_inquiry_client_confirmation',
+  'residential_inquiry_sales_alert',
+] as const;
+
+export type TemplateKey = (typeof TEMPLATE_KEYS)[number];
+
+export interface TemplateMetadata {
+  key: TemplateKey;
+  label: string;
+  description: string;
+  /** Token names available inside the subject (and future body) overrides. */
+  mergeTokens: string[];
+  /** The literal subject the code template uses when no override is set. */
+  defaultSubject: string;
+}
+
+export const TEMPLATE_CATALOG: Record<TemplateKey, TemplateMetadata> = {
+  portal_activation: {
+    key: 'portal_activation',
+    label: 'Portal — activation invite',
+    description:
+      'Sent to a client when an admin invites them to activate their portal account. Contains the activation link.',
+    mergeTokens: ['portName', 'recipientName', 'ttlHours'],
+    defaultSubject: 'Activate your {{portName}} client portal account',
+  },
+  portal_reset: {
+    key: 'portal_reset',
+    label: 'Portal — password reset',
+    description:
+      'Sent when a portal user requests a password reset. Contains the reset link with a short TTL.',
+    mergeTokens: ['portName', 'recipientName', 'ttlMinutes'],
+    defaultSubject: 'Reset your {{portName}} client portal password',
+  },
+  portal_invite_resend: {
+    key: 'portal_invite_resend',
+    label: 'Portal — invite resend',
+    description: 'Re-sent activation email when an admin resends a pending portal invite.',
+    mergeTokens: ['portName', 'recipientName', 'ttlHours'],
+    defaultSubject: 'Activate your {{portName}} client portal account',
+  },
+  crm_invite: {
+    key: 'crm_invite',
+    label: 'CRM — staff invite',
+    description: 'Sent to a new staff user when an admin invites them to the CRM.',
+    mergeTokens: ['portName', 'recipientName', 'ttlHours'],
+    defaultSubject: 'You have been invited to {{portName}} CRM',
+  },
+  inquiry_client_confirmation: {
+    key: 'inquiry_client_confirmation',
+    label: 'Inquiry — client confirmation',
+    description: 'Auto-reply confirmation sent to the client after a website berth inquiry.',
+    mergeTokens: ['portName', 'recipientName', 'mooringNumber'],
+    defaultSubject: 'We received your inquiry — {{portName}}',
+  },
+  inquiry_sales_notification: {
+    key: 'inquiry_sales_notification',
+    label: 'Inquiry — sales notification',
+    description: 'Internal alert sent to the sales team when a new website inquiry arrives.',
+    mergeTokens: ['portName', 'clientName', 'mooringNumber', 'email'],
+    defaultSubject: 'New berth inquiry — {{clientName}}',
+  },
+  residential_inquiry_client_confirmation: {
+    key: 'residential_inquiry_client_confirmation',
+    label: 'Residential inquiry — client confirmation',
+    description: 'Auto-reply sent to the client after a residential property inquiry.',
+    mergeTokens: ['portName', 'recipientName'],
+    defaultSubject: 'We received your residential inquiry — {{portName}}',
+  },
+  residential_inquiry_sales_alert: {
+    key: 'residential_inquiry_sales_alert',
+    label: 'Residential inquiry — sales alert',
+    description: 'Internal alert sent to residential sales recipients when an inquiry arrives.',
+    mergeTokens: ['portName', 'clientName', 'email', 'phone'],
+    defaultSubject: 'New residential inquiry — {{clientName}}',
+  },
+};
+
+/** system_settings key for a template's subject override. */
+export function settingKeyForSubject(key: TemplateKey): string {
+  return `email_template_${key}_subject`;
+}

src/lib/email/template-overrides.ts

@@ -0,0 +1,44 @@
+import { and, eq } from 'drizzle-orm';
+
+import { db } from '@/lib/db';
+import { systemSettings } from '@/lib/db/schema/system';
+import { settingKeyForSubject, type TemplateKey } from '@/lib/email/template-catalog';
+
+/**
+ * Returns the per-port subject override for a transactional email template,
+ * or null if no override is configured.
+ *
+ * Per-port row wins over global (null portId). String values are returned
+ * as-is; non-string values are ignored (treated as no override).
+ */
+export async function loadSubjectOverride(
+  portId: string,
+  key: TemplateKey,
+): Promise<string | null> {
+  const settingKey = settingKeyForSubject(key);
+  const rows = await db
+    .select({ value: systemSettings.value, portId: systemSettings.portId })
+    .from(systemSettings)
+    .where(eq(systemSettings.key, settingKey));
+
+  // Prefer per-port row; fall back to global (null portId).
+  const portRow = rows.find((r) => r.portId === portId);
+  const globalRow = rows.find((r) => r.portId === null);
+  const value = portRow?.value ?? globalRow?.value ?? null;
+  return typeof value === 'string' && value.trim() ? value : null;
+}
+
+/** Synchronous client-side helper for substituting {{token}} placeholders. */
+export function applySubjectTokens(
+  template: string,
+  tokens: Record<string, string | number | undefined>,
+): string {
+  return template.replace(/\{\{(\w+)\}\}/g, (match, name: string) => {
+    const v = tokens[name];
+    return v === undefined || v === null ? match : String(v);
+  });
+}
+
+// Suppress unused-import lint when the helper is not yet referenced from
+// every template — every consumer uses `and` once it integrates.
+void and;

src/lib/email/templates/portal-auth.ts

@@ -50,12 +50,20 @@ function shell(opts: { title: string; body: string }): string {
 </html>`;
 }
 
-export function activationEmail(data: ActivationData): {
+export function activationEmail(
+  data: ActivationData,
+  overrides?: { subject?: string | null },
+): {
   subject: string;
   html: string;
   text: string;
 } {
-  const subject = `Activate your ${data.portName} client portal account`;
+  const subject = overrides?.subject
+    ? overrides.subject
+        .replace(/\{\{portName\}\}/g, data.portName)
+        .replace(/\{\{recipientName\}\}/g, data.recipientName ?? '')
+        .replace(/\{\{ttlHours\}\}/g, String(data.ttlHours))
+    : `Activate your ${data.portName} client portal account`;
   const greeting = data.recipientName ? `Dear ${escapeHtml(data.recipientName)},` : 'Welcome,';
 
   const body = `
@@ -97,8 +105,16 @@ export function activationEmail(data: ActivationData): {
   return { subject, html: shell({ title: subject, body }), text };
 }
 
-export function resetEmail(data: ResetData): { subject: string; html: string; text: string } {
-  const subject = `Reset your ${data.portName} client portal password`;
+export function resetEmail(
+  data: ResetData,
+  overrides?: { subject?: string | null },
+): { subject: string; html: string; text: string } {
+  const subject = overrides?.subject
+    ? overrides.subject
+        .replace(/\{\{portName\}\}/g, data.portName)
+        .replace(/\{\{recipientName\}\}/g, data.recipientName ?? '')
+        .replace(/\{\{ttlMinutes\}\}/g, String(data.ttlMinutes))
+    : `Reset your ${data.portName} client portal password`;
   const greeting = data.recipientName ? `Dear ${escapeHtml(data.recipientName)},` : 'Hello,';
 
   const body = `

src/lib/services/portal-auth.service.ts

@@ -8,6 +8,7 @@ import { systemSettings } from '@/lib/db/schema/system';
 import { env } from '@/lib/env';
 import { sendEmail } from '@/lib/email';
 import { activationEmail, resetEmail } from '@/lib/email/templates/portal-auth';
+import { loadSubjectOverride } from '@/lib/email/template-overrides';
 import {
   CodedError,
   ConflictError,
@@ -18,6 +19,7 @@ import {
 import { logger } from '@/lib/logger';
 import { createPortalToken } from '@/lib/portal/auth';
 import { hashPassword, hashToken, mintToken, verifyPassword } from '@/lib/portal/passwords';
+import { createAuditLog } from '@/lib/audit';
 
 const ACTIVATION_TOKEN_TTL_HOURS = 72;
 const RESET_TOKEN_TTL_MINUTES = 30;
@@ -84,6 +86,15 @@ export async function createPortalUser(args: {
 
   await issueActivationToken(user.id, normalizedEmail, args.portId);
 
+  void createAuditLog({
+    portId: args.portId,
+    userId: args.createdBy,
+    action: 'portal_invite',
+    entityType: 'portal_user',
+    entityId: user.id,
+    metadata: { clientId: args.clientId, email: normalizedEmail },
+  });
+
   return { portalUserId: user.id };
 }
 
@@ -106,11 +117,15 @@ async function issueActivationToken(
   const portName = port?.name ?? 'Port Nimara';
 
   const link = `${env.APP_URL}/portal/activate?token=${encodeURIComponent(raw)}`;
-  const { subject, html, text } = activationEmail({
-    portName,
-    link,
-    ttlHours: ACTIVATION_TOKEN_TTL_HOURS,
-  });
+  const subjectOverride = await loadSubjectOverride(portId, 'portal_activation');
+  const { subject, html, text } = activationEmail(
+    {
+      portName,
+      link,
+      ttlHours: ACTIVATION_TOKEN_TTL_HOURS,
+    },
+    { subject: subjectOverride },
+  );
 
   try {
     await sendEmail(email, subject, html, undefined, text);
@@ -133,6 +148,15 @@ export async function resendActivation(portalUserId: string, portId: string): Pr
     throw new ConflictError('Portal user has already activated their account');
   }
   await issueActivationToken(user.id, user.email, user.portId);
+
+  void createAuditLog({
+    portId: user.portId,
+    userId: null,
+    action: 'resend_invite',
+    entityType: 'portal_user',
+    entityId: user.id,
+    metadata: { email: user.email },
+  });
 }
 
 // ─── Activation: client sets their initial password ──────────────────────────
@@ -154,6 +178,14 @@ export async function activateAccount(rawToken: string, password: string): Promi
     .update(portalUsers)
     .set({ passwordHash, updatedAt: new Date() })
     .where(eq(portalUsers.id, tokenRow.portalUserId));
+
+  void createAuditLog({
+    portId: portalUser.portId,
+    userId: null,
+    action: 'portal_activate',
+    entityType: 'portal_user',
+    entityId: portalUser.id,
+  });
 }
 
 // ─── Sign in (email + password) ──────────────────────────────────────────────
@@ -234,14 +266,27 @@ export async function requestPasswordReset(email: string): Promise<void> {
     expiresAt,
   });
 
+  void createAuditLog({
+    portId: user.portId,
+    userId: null,
+    action: 'portal_password_reset_request',
+    entityType: 'portal_user',
+    entityId: user.id,
+    metadata: { email: user.email },
+  });
+
   const port = await db.query.ports.findFirst({ where: eq(ports.id, user.portId) });
   const portName = port?.name ?? 'Port Nimara';
   const link = `${env.APP_URL}/portal/reset-password?token=${encodeURIComponent(raw)}`;
-  const { subject, html, text } = resetEmail({
-    portName,
-    link,
-    ttlMinutes: RESET_TOKEN_TTL_MINUTES,
-  });
+  const subjectOverride = await loadSubjectOverride(user.portId, 'portal_reset');
+  const { subject, html, text } = resetEmail(
+    {
+      portName,
+      link,
+      ttlMinutes: RESET_TOKEN_TTL_MINUTES,
+    },
+    { subject: subjectOverride },
+  );
 
   try {
     await sendEmail(user.email, subject, html, undefined, text);
@@ -268,6 +313,14 @@ export async function resetPassword(rawToken: string, password: string): Promise
     .update(portalUsers)
     .set({ passwordHash, updatedAt: new Date() })
     .where(eq(portalUsers.id, tokenRow.portalUserId));
+
+  void createAuditLog({
+    portId: portalUser.portId,
+    userId: null,
+    action: 'portal_password_reset',
+    entityType: 'portal_user',
+    entityId: portalUser.id,
+  });
 }
 
 // ─── Token consumption (shared between activation + reset) ───────────────────